1. Home
  2. CWE Database
  3. CWE-11
Variant · Low-Medium

CWE-11: ASP.NET Misconfiguration: Creating Debug Binary

Debugging messages help attackers learn about the system and plan a form of attack.

CWE-11 · Variant Level ·1 Mitigations

Description

Debugging messages help attackers learn about the system and plan a form of attack.

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.
Bad
<?xml version="1.0" encoding="utf-8" ?><configuration><system.web><compilationdefaultLanguage="c#"debug="true"/>...</system.web></configuration>
Change the debug mode to false when the application is deployed into production.

Mitigations & Prevention

System Configuration

Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-489: Active Debug Code

The product is released with debugging code still enabled or active.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — ASP.NET Misconfiguration: Creating Debug Binary

Frequently Asked Questions

What is CWE-11?

CWE-11 (ASP.NET Misconfiguration: Creating Debug Binary) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Debugging messages help attackers learn about the system and plan a form of attack.

How can CWE-11 be exploited?

Attackers can exploit CWE-11 (ASP.NET Misconfiguration: Creating Debug Binary) to read application data. This weakness is typically introduced during the Implementation, Build and Compilation phase of software development.

How do I prevent CWE-11?

Key mitigations include: Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.

What is the severity of CWE-11?

CWE-11 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.